Skip to content

Upgrade Log4j from 2.25.3 to 2.25.4 to address CVE-2026-34480 #1636

Description

@stephenmcconnachie

Summary

The current DROID project (droid-parent/pom.xml on main) pins Log4j at version 2.25.3:

<log4j2.version>2.25.3</log4j2.version>

This version is vulnerable to CVE-2026-34480 (CVSS 3.1: 7.5 HIGH).

The vulnerability

Apache Log4j Core's XmlLayout fails to sanitize characters forbidden by the XML 1.0 specification. When log messages or MDC (Mapped Diagnostic Context) values contain these characters:

  • JRE built-in StAX parser — forbidden characters are silently written to the output, producing malformed XML. Conforming XML parsers reject the document with a fatal error, which can cause downstream log-processing systems to silently drop affected records (integrity impact).
  • Alternative StAX implementations (e.g. Woodstox, a transitive dependency of the Jackson XML Dataformat module that DROID uses) — an exception is thrown during the logging call and the log event is never delivered to its intended appender; it only reaches Log4j's internal status logger, resulting in silent data loss.

Fix

Apache released Log4j 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

Scope of change in DROID

Minimal — simply bump the property in droid-parent/pom.xml:

<log4j2.version>2.25.4</log4j2.version>

All Log4j module references (log4j-api, log4j-core, log4j-slf4j2-impl) use ${log4j2.version}, so a single property change propagates correctly to all sub-modules.

Suggested changelog entry

Upgrade Log4j from 2.25.3 to 2.25.4 (CVE-2026-34480). XmlLayout now sanitises XML 1.0 forbidden characters, preventing malformed XML output and silent log event loss.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions